diff options
author | Tobias Stoeckmann <tobias@stoeckmann.org> | 2018-07-27 16:38:00 +0200 |
---|---|---|
committer | Matthieu Herrb <matthieu@herrb.eu> | 2018-08-21 16:43:22 +0200 |
commit | e83722768fd5c467ef61fa159e8c6278770b45c2 (patch) | |
tree | 60bfca73d8cd3890c1bdabadc359bc6dc42617f6 | |
parent | dbf72805fd9d7b1846fe9a11b46f3994bfc27fea (diff) |
Fixed crash on invalid reply (CVE-2018-14598).
If the server sends a reply in which even the first string would
overflow the transmitted bytes, list[0] (or flist[0]) will be set to
NULL and a count of 0 is returned.
If the resulting list is freed with XFreeExtensionList or
XFreeFontPath later on, the first Xfree call:
Xfree (list[0]-1)
turns into
Xfree (NULL-1)
which will most likely trigger a segmentation fault.
I have modified the code to return NULL if the first string would
overflow, thus protecting the freeing functions later on.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
-rw-r--r-- | src/GetFPath.c | 5 | ||||
-rw-r--r-- | src/ListExt.c | 5 |
2 files changed, 10 insertions, 0 deletions
diff --git a/src/GetFPath.c b/src/GetFPath.c index 813757cc..87d25761 100644 --- a/src/GetFPath.c +++ b/src/GetFPath.c @@ -78,6 +78,11 @@ char **XGetFontPath( length = *(unsigned char *)ch; *ch = '\0'; /* and replace with null-termination */ count++; + } else if (i == 0) { + Xfree(flist); + Xfree(ch); + flist = NULL; + break; } else flist[i] = NULL; } diff --git a/src/ListExt.c b/src/ListExt.c index 0498aa18..a795041d 100644 --- a/src/ListExt.c +++ b/src/ListExt.c @@ -83,6 +83,11 @@ char **XListExtensions( length = *(unsigned char *)ch; *ch = '\0'; /* and replace with null-termination */ count++; + } else if (i == 0) { + Xfree(list); + Xfree(ch); + list = NULL; + break; } else list[i] = NULL; } |